Back to Blog

VPN vs Cloudflare Tunnel: Secure Remote Access for Your Homelab

Compare VPN and Cloudflare Tunnel for accessing your homelab remotely. Learn the pros, cons, and ideal use cases for each approach.

Posted by

Secure tunnel connection diagram

Access Your Homelab from Anywhere

A homelab is most valuable when you can access it remotely. Whether you're traveling, at work, or just away from home, you need a secure way to reach your services.

Two popular approaches dominate: traditional VPNs and Cloudflare Tunnel. Let's explore which is right for you.

VPN (WireGuard/OpenVPN)

A VPN creates an encrypted tunnel directly to your home network, making your device appear to be on your local network.

Pros:

  • Full network access: Access everything as if you were home
  • No third parties: Direct connection, no middleman
  • Works with any protocol: SSH, RDP, game servers, anything
  • Internet exit: Route all traffic through home for privacy

Cons:

  • Port forwarding required: Must open ports on your router
  • Client needed: Every device needs VPN software
  • Dynamic IP issues: Requires DDNS if you don't have static IP
  • Some networks block VPN: Corporate/hotel WiFi may block VPN ports
# WireGuard Docker Compose
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
      - SERVERURL=vpn.yourdomain.com
      - PEERS=5
    volumes:
      - ./config:/config
    ports:
      - "51820:51820/udp"
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Cloudflare Tunnel

Cloudflare Tunnel creates an outbound-only connection to Cloudflare's network, which then routes traffic to your services.

Pros:

  • No port forwarding: Works behind any NAT or firewall
  • No client needed: Access via browser at custom domains
  • Built-in SSL: Automatic HTTPS certificates
  • Access controls: Cloudflare Access for authentication
  • DDoS protection: Cloudflare's network protects your services

Cons:

  • HTTP/S only: Doesn't work for SSH, RDP, game servers
  • Third party: Cloudflare sees your traffic
  • Dependency: If Cloudflare is down, you're down
  • ToS restrictions: Video streaming may violate ToS
# Cloudflare Tunnel Docker Compose
services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=${CF_TUNNEL_TOKEN}
    restart: unless-stopped

When to Use Each

Use VPN for:

  • Full network access needs
  • SSH, RDP, database connections
  • Maximum privacy (no third parties)
  • Gaming and streaming

Use Cloudflare Tunnel for:

  • Web applications only
  • Sharing services with others who won't install VPN
  • When you can't open ports (CGNAT, restricted network)
  • Quick setup without router configuration

The Best of Both Worlds

Many homelab users run both! Use Cloudflare Tunnel for web services you want easily accessible (Nextcloud, Immich), and VPN for full network access when you need it.

This hybrid approach gives you convenience for web apps while maintaining secure access to everything else.

Continue Reading